Now that Sony’s controversial movie The Interview is being streamed online via Google Play and other services, many are celebrating this as a gesture of defiance towards North Korea, and the dictatorship’s threats related to the film’s release — allegedly the reason for the hack that hit Sony earlier this month. But do we know for a fact that North Korea was the mastermind behind this attack? A number of prominent security analysts aren’t so sure.
There was much debate about the actual culprit following the release of Sony’s hacked emails, until the FBI said that it had conclusive evidence that North Korea was involved. But security experts like Bruce Schneier and Marc Rogers — a security analyst for the content-delivery network Cloudflare — say they don’t see the federal agency’s evidence as being all that persuasive. Here’s a look at what the FBI claims, and what skeptics like Schneier and Rogers argue:
Re-use of similar code: The bureau said one of the elements of the hack that suggested North Korea was involved was the use of code fragments that have been used in other cyber-attacks or hacking attempts in which the dictatorship was proven to be involved. As the FBI release described it:
[blockquote person=”” attribution=””]”Technical analysis of the data deletion malware used in this attack revealed links to other malware that the FBI knows North Korean actors previously developed. For example, there were similarities in specific lines of code, encryption algorithms, data deletion methods, and compromised networks.”[/blockquote]
But Rogers says this isn’t really a smoking gun — the code he believes the FBI is talking about, known as Shamoon, is known to have been leaked widely and is now available for any criminal hacker to use, so it can’t really tie Sony conclusively to North Korea. Schneier, meanwhile, said that re-use of code is actually a fairly compelling argument for it not being the work of the North Korean government — although he said the North Korean regime may have stepped in later to take advantage of the hack for PR purposes.
Use of known IP addresses: The FBI’s other main piece of evidence that North Korea was involved was the fact that a number of specific IP addresses or domains were “hard coded” into the software used in the hacking attack, addresses that were known to have been used in previous attacks involving North Korea:
[blockquote person=”” attribution=””]“The FBI also observed significant overlap between the infrastructure used in this attack and other malicious cyber activity the U.S. government has previously linked directly to North Korea. For example, the FBI discovered that several Internet protocol (IP) addresses associated with known North Korean infrastructure communicated with IP addresses that were hardcoded into the data deletion malware used in this attack.”[/blockquote]
But Rogers says the “naivety of this statement beggars belief.” Just because a system with a particular IP address was used for a cyber-crime doesn’t mean that it will always be associated with crimes, he says. Many IP addresses are dynamic, meaning they are part of a pool that internet providers draw from and assign randomly. And the fact that some of those IP’s are known proxies meant to throw security researchers off the trail doesn’t necessarily mean North Korea is involved (there’s more technical detail here).
Ties to the movie: Both Rogers and Schneier note, as others have as well, that the connection between the movie The Interview and the hack attack itself was only made after the emails were released, and was a theory promoted mostly by the media — the movie itself wasn’t mentioned by the hackers in any of their communications with Sony until after it had become a media story. Both analysts believe the hackers may have played up this connection for “the lulz.”
Rogers notes that the use of passwords and other security features suggests that the hack involved at least one Sony employee or former employee, since the hack relied on an “extensive knowledge” of the company’s internal systems and procedures. While that doesn’t mean it was necessarily an all-inside job, it suggests that whoever masterminded the attack likely had help from someone on the inside. And an analysis of the language used in the software indicates it is more likely to be a Russian speaker than a North Korean speaker.
Schneier, Rogers and a number of other experts also noted that the FBI could have classified information that it isn’t able to release that conclusively ties North Korea to the crime — but they also point out that the U.S. government claimed to have similar evidence that Iraqi dictator Saddam Hussein had “weapons of mass destruction,” and that turned out to be a bust. Whether North Korea joins that list of ignominious foreign-intelligence gaffes remains to be seen.